Re: security backports for removed packages

To: Rhonda D'Vine <rhonda@deb.at>
Cc: Debian-backports <debian-backports@lists.debian.org>
Subject: Re: security backports for removed packages
From: Dominic Hargreaves <dom@earth.li>
Date: Mon, 12 Dec 2016 15:26:20 +0000
Message-id: <[🔎] 20161212152620.GK4384@urchin.earth.li>
In-reply-to: <[🔎] 20161212143019.GA13180@anguilla.debian.or.at>
References: <2136744349.1849477.1481541278273.ref@mail.yahoo.com> <[🔎] 2136744349.1849477.1481541278273@mail.yahoo.com> <[🔎] 20161212120642.GA29704@anguilla.debian.or.at> <[🔎] 20161212124228.GJ4384@urchin.earth.li> <[🔎] 20161212143019.GA13180@anguilla.debian.or.at>

On Mon, Dec 12, 2016 at 03:30:19PM +0100, Rhonda D'Vine wrote:
> * Dominic Hargreaves <dom@earth.li> [2016-12-12 13:42:28 CET]:
> > Anyway, I have a similar issue with mysql-5.6 which I backported due
> > to a local requirement earlier in the year.
> > 
> > Now that MySQL has been removed from testing, it's not clear what's
> > permitted.
> 
>  It will get replaced by mysql-5.7, not?  It's not so much a similar
> issue, mysql is a supported package and will get shipped with stretch.

My understanding is that it won't, since it is being replaced with
MariaDB: https://release.debian.org/britney/hints/pochu. Yes, you could
argue that that is not much different since MariaDB is supposed to be
a drop-in replacement, but that doesn't seem like something it makes 
sense to inflict on backports users without warning. (I also don't know
if it would include the changes made in MySQL 5.6 that warranted the
backport in the first place).

> > As it happens mysql-5.6 is still being maintained (just about)
> > in unstable, but I was unable to upload the backport of that for
> > reasons I don't understand[1]. My interpretation was that it was
> > permitted to upload versions not from testing if it was to fix security
> > issues, which that upload did.
> 
>  That exception is for fast-tracking security issues that might be
> delayed to transition into testing but actually are expected to end in
> testing at some point.  That's not the case with virtualbox which won't
> enter stretch anymore as it is.

Sure. And in fact I just noticed the "(which is intended for testing)"
addition in https://backports.debian.org/Contribute/ which does clarify.

>  That exception isn't there to get packages into backports that aren't
> targeted at a stable release.
> 
>  So, updating mysql in backports to 5.7 is the way to go here. :)
> 
>  Hope that clears up the difference a bit?

Thanks, although given the above I don't think that's right as mysql-5.7
isn't intended to be in stretch.

> > Side note: that list appears to be dead, which implies that
> > either backports is getting no security updates, or people are
> > forgetting to send out advisories or blocked from doing so (I recall
> > the last time I asked for a BSA in May I didn't get a response).
> > How can we fix this?
> 
>  I plan to work on a script in the near future that will improve the
> current workflow for approving BSAs and thus reduce the overhead on our
> end.

Great news, thanks!

Given all of the above I fear that the only real option is to remove
mysql-5.6 from backports and carry on packaging it privately for myself
:/

Can you take care of that, or should I ask someone else?

And if so, please could I have a BSA number so I can write a security
advisory telling people of this fact?

Cheers,
Dominic.

Reply to:

References:
- backports exception for virtualbox?
  - From: Gianfranco Costamagna <locutusofborg@debian.org>
- Re: backports exception for virtualbox?
  - From: Rhonda D'Vine <rhonda@deb.at>
- security backports for removed packages
  - From: Dominic Hargreaves <dom@earth.li>
- Re: security backports for removed packages
  - From: Rhonda D'Vine <rhonda@deb.at>

Prev by Date: Re: backports exception for virtualbox?
Next by Date: Re: backports exception for virtualbox?
Previous by thread: Re: security backports for removed packages
Next by thread: Re: backports exception for virtualbox?
Index(es):
- Date
- Thread